• Thursday, 16th April, 2026

Experts Urge Gaming Firms to Strengthen Data Protection Compliance

Sport | 3 hours ago

As Nigeria’s gaming industry continues to expand across digital platforms, questions around how operators collect, process and store user data are becoming harder to ignore, writes Iyke Bede

With betting platforms handling large volumes of personal and financial information, compliance with data protection laws is increasingly central to how the sector operates.

These issues were the focus of a recent webinar organised by SLEC Africa, titled ‘Data Protection in Gaming: Compliance, Cross-Border Risk, and Audits’. The session examined how gaming operators in Nigeria can navigate regulatory expectations while managing the realities of a technology-driven industry in which data often crosses borders.

Speakers at the event included Principal Partner, Law Allianz, Yahaya Maikori, and DPO, KC Gaming Networks Limited (Bet9ja), Oluwafemi Fadeyi. Both speakers approached the topic from different angles: one from a legal standpoint and the other from the operational realities of compliance.

Opening the discussion, Maikori explained that the growing relevance of data protection is tied to the nature of modern technology. According to him, “tech is invasive”, particularly in how it enables the constant flow and sharing of information across platforms.

He noted that Nigeria’s data protection framework is rooted in the right to privacy guaranteed under Section 37 of the Constitution. That constitutional protection is further strengthened by the Nigerian Data Protection Act, which established the Nigerian Data Protection Commission as the country’s regulatory authority for data governance.

Within the gaming sector, compliance with these rules goes beyond legal requirements and is also a business concern. Maikori pointed to the reputational risks operators face when user data is mishandled or exposed. Data breaches, he said, can erode customer trust and invite regulatory scrutiny.

At the same time, he argued that regulatory enforcement should not be seen purely as a punitive tool.

“The NDPC is probably one of the fastest-growing agencies in Nigeria. What this means is that, at the rate we are going, there is a punitive element to it… and a revenue-collection (element) to it. We need to be careful,” he said.

Beyond reputational concerns, Maikori stressed that gaming remains one of the most heavily regulated industries globally. As such, operators must treat compliance as a core operational responsibility rather than an afterthought.

He outlined several guiding principles that underpin data protection practices, including lawful collection, consumer consent, and data minimisation.

One of the more complex areas discussed during the session was cross-border data transfer. Many gaming platforms rely on international technology infrastructure, such as cloud storage and external servers. As a result, user data often leaves Nigeria’s jurisdiction during routine operations.

Maikori said this raises issues around data sovereignty, particularly because much of the digital infrastructure used by companies is hosted outside the country. While local data hosting remains an option, he acknowledged that some operators may still depend on foreign systems due to reliability or security concerns.

The law, however, places clear obligations on organisations that process user data. A central requirement is the appointment of a Data Protection Officer (DPO), whose role includes serving as an interface between the organisation and the regulator.

Failure to meet these obligations carries consequences. Operators may face financial penalties, legal action from affected users, or regulatory sanctions. In extreme cases, platforms could be restricted from operating if they fail to meet compliance standards.

To help organisations manage these risks, Maikori outlined a compliance roadmap that operators should adopt. This includes conducting annual data mapping exercises to identify the types of personal information they collect and how it flows within the organisation. Other recommended measures include executing comprehensive data processing agreements with third-party vendors, conducting regular staff training on privacy obligations, and maintaining clear incident response procedures in case of data breaches.

Companies are also expected to maintain up-to-date Records of Processing Activities that document how data is handled, stored, and shared. Before deploying new technologies—especially systems that process large amounts of personal information—operators should conduct Data Protection Impact Assessments to identify potential risks.

Building on these legal and governance considerations, Fadeyi focused on the operational realities faced by gaming companies. His presentation highlighted the growing importance of cross-border data transfer compliance.

According to him, personal data can only be transferred outside Nigeria under specific conditions. One pathway is through adequacy decisions, where the Nigerian regulator confirms that the receiving country has sufficient legal protections for personal data.

Another option is to use recognised compliance tools, such as Standard Contractual Clauses, Binding Corporate Rules, or specific certification mechanisms approved by regulators.

Where these instruments are not in place, organisations may still transfer data under limited circumstances. These include situations in which the user has given explicit consent, the transfer is necessary for the performance of a contract, or legal claims or public-interest considerations are involved.

Fadeyi also restated that compliance should begin at the highest level of an organisation. What he described as a “tone from the top” approach requires executive leadership to prioritise privacy governance rather than leaving it solely to technical teams.

Fadeyi further highlighted that compliance should begin at the highest level of an organisation. What he described as a “tone from the top” approach requires executive leadership to prioritise privacy governance rather than leaving it solely to technical teams.

The discussion also touched on emerging risks linked to artificial intelligence. Both speakers warned that organisations must exercise caution when using AI tools that process or analyse data. Large language models, for instance, are often trained using vast datasets, raising concerns about confidentiality and unintended exposure of sensitive information.

Another risk involves the rise of so-called shadow AI tools—systems adopted informally by employees without proper oversight from company management.

Finally, the speakers highlighted the importance of transparency in how gaming platforms interact with users online. Websites, they noted, should include clear cookie management systems that allow users to accept or decline data tracking.

Such mechanisms not only improve transparency but also help operators demonstrate compliance if regulators conduct random audits.

Related Articles

Founded on January 22, 1995, THISDAY is published by THISDAY NEWSPAPERS LTD., 35 Creek Road Apapa, Lagos, Nigeria with offices in 36 states of Nigeria , the Federal Capital Territory and around the world. It is Nigeria’s most authoritative news media available on all platforms for the political, business, professional and diplomatic elite and broader middle classes while serving as the meeting point of new ideas, culture and technology for the aspirationals and millennials. The newspaper is a public trust dedicated to the pursuit of truth and reason covering a range of issues from breaking news to politics, business, the markets, the arts, sports and community to the crossroads of people and society.

Helpful Links

Contact Us

You can email us at: hello@thisdaylive.com or visit our contact us page.